Open-source reverse proxy management, honestly reviewed. No marketing fluff, just what you get when you self-host it.

TL;DR

What it is: A community fork of Nginx Proxy Manager (NPM) that adds HTTP/3, CrowdSec integration, WAF support, and a hardened security posture on top of the same web GUI you already know [2][README].
Who it’s for: Home lab users and self-hosters who are already running nginx-proxy-manager and want better security, or anyone setting up a new reverse proxy who cares about modern TLS, intrusion prevention, and not exposing raw nginx config files [2][4].
Cost savings: There’s no SaaS alternative to compare against — this is a DevOps infrastructure tool, not a $99/mo SaaS subscription. The savings are measured in time and attack surface, not monthly bills.
License reality check: The merged profile lists this as MIT, but the README is explicit: NPMplus is distributed under AGPL-3.0. The upstream nginx-proxy-manager is MIT-licensed; NPMplus added the more restrictive copyleft. Worth knowing if you’re embedding this in a commercial product [README].
Key strength: Native CrowdSec and open-appsec WAF integration out of the box — features that take real effort to bolt onto vanilla NPM or raw nginx [2][4][5].
Key weakness: Stricter architecture requirements (x86_64-v2 minimum — plain x86-64 is not supported), AGPL-3.0 vs the upstream MIT license, and a single-maintainer project at ~2k stars versus upstream NPM’s much larger community [README][1].

What is NPMplus

NPMplus is a community fork of Nginx Proxy Manager, maintained by a developer who goes by ZoeyVid on GitHub. If you don’t know NPM: it puts a web GUI in front of nginx and Let’s Encrypt, letting you route traffic from your server to multiple internal services — think app1.yourdomain.com → localhost:3000, app2.yourdomain.com → localhost:8080 — without touching nginx config files by hand. It also handles SSL certificate issuance and renewal automatically.

NPMplus takes that foundation and layers on features that the upstream project either hasn’t prioritized or explicitly dropped. The headline additions are HTTP/3 (QUIC protocol), native CrowdSec integration for automated threat blocking, open-appsec WAF support, OIDC authentication, ML-KEM post-quantum TLS, GoAccess for log analytics, brotli/zstd compression, and a hardened default security posture [README][2]. The image is Alpine-based, making it smaller than upstream. The admin interface runs on HTTPS rather than HTTP [README].

What it’s not: a managed service, a SaaS product, or a tool that removes the need to understand what a reverse proxy does. You’re still running nginx under the hood, you’re still managing a server, and the project is maintained by one person with a small community [README][1].

As of this review: ~2k GitHub stars, 105 forks, 2,953 commits [website].

Why people choose it over vanilla NPM

The self-hosted community’s consensus is captured well across the reviews: NPMplus wins on security features and modern protocol support. It loses on community size and architectural flexibility.

The security argument. CrowdSec integration is the most-cited reason [2][4]. When you expose services to the internet, bots and scanners find them within hours. Vanilla NPM has no native intrusion prevention — you’d have to layer in fail2ban or CrowdSec separately and wire them to nginx logs yourself. NPMplus ships with CrowdSec as a first-class option in the compose.yaml, including the AppSec component for WAF-style protection [4]. The CrowdSec guest post on their official blog was written by ZoeyVid, the NPMplus maintainer, which signals genuine integration depth rather than a checkbox feature [4].

HTTP/3 and performance. The deployn.de benchmark [3] tested NPM, NPMplus with HTTP/3 enabled, and Zoraxy under load. NPMplus’s HTTP/3 support means the QUIC transport protocol handles connections — better performance on unreliable networks and faster connection setup than HTTP/2 [2][3]. For home labs used remotely, this matters. The caveat: HTTP/3 requires you to expose port 443 on UDP, not just TCP. Forgot that? Your HTTPS stops working silently [README].

The “it’s the same UI” argument. Brandon Lee’s comparison [2] makes the point clearly: NPMplus doesn’t reinvent the interface. If you’ve used Nginx Proxy Manager, the NPMplus GUI looks and behaves the same. The switch is an upgrade, not a migration. The actual migration path is documented but flagged as one-way — you can’t go back to vanilla NPM from NPMplus without a fresh install [README].

Where the community points at gaps. The Skool discussion [1] and the virtualizationhowto review [2] both note that NPMplus’s extra features come with extra configuration. You’re not just dropping in a compose.yaml — you need to decide which security layers to enable, configure CrowdSec’s acquis.d properly, understand what TRUST_CLOUDFLARE does and why it’s off by default, and handle the UDP port exposure for QUIC. None of this is hard for someone who runs Docker regularly, but it’s real friction for a true beginner.

Features

Based on the README and source articles:

Core reverse proxy (inherited from NPM):

Web GUI for managing proxy hosts, redirects, and stream (TCP/UDP) proxying [README]
Automatic Let’s Encrypt SSL certificate issuance and renewal [README]
Wildcard certificate support via DNS challenges [README]
Custom SSL certificate upload [README]
Access lists and basic auth [README]

NPMplus additions — networking:

HTTP/3 and QUIC support (requires exposing 443/UDP) [README][2][3]
Proxy protocol support [README]
Brotli and zstd compression alongside gzip [README]
Punycode internationalized domain support [README]
Empty port allowance for load balancing setups [README]
Improved nginx build and templates [README]

NPMplus additions — security:

CrowdSec integration: native log parsing and remediation component (bouncer) [README][2][4]
open-appsec WAF integration — attachment module runs inside the container [README][5]
ML-KEM post-quantum TLS support with hardened TLS settings enforced by default [README]
OIDC authentication support [README]
Basic security headers sent by default [README]
HTTPS-only admin interface (upstream serves the admin UI over HTTP) [README]
TOTP 2FA with QR codes generated locally in your browser, not via a third-party API [README]
Secure cookies instead of localStorage for token storage [README]
Gravatar images fetched by the backend and cached locally (your browser IP doesn’t reach Gravatar) [README]
ACME profiles with Let’s Encrypt shortlived certificates by default, OCSP/must-staple support [README]

NPMplus additions — usability:

GoAccess bundled for log visualization [README]
PHP-FPM support (both bundled and external) [README]
File server with fancyindex [README]
Password reset via docker exec command (SQLite only) [README]
ACME email configuration as an environment variable (no post-install wizard) [4]

What’s not there:

Multi-node clustering or HA — this is a single-instance tool
Route53 DNS challenge support (explicitly dropped) [README]
Support for armhf/armv7 or plain x86-64 (only x86-64-v2 and arm64) [README]
Easy path back to vanilla NPM after migration [README]

Pricing: SaaS vs self-hosted math

There’s no SaaS version of NPMplus and no commercial tier. This section works differently from a Zapier-replacement comparison.

The actual cost picture:

NPMplus itself is free. The cost is the server you run it on, which you likely already have if you’re self-hosting anything. On a fresh Hetzner CX22 (€4/mo), NPMplus runs comfortably alongside the services it’s proxying. Memory footprint is modest — the Alpine-based image is intentionally lean [README].

What you’re replacing:

If you’re reaching for NPMplus, you’re probably in one of two situations:

Running vanilla NPM already. The switch costs you an afternoon of migration work. There’s no recurring cost difference — both are free. What you gain is the security and HTTP/3 features. The migration guide exists but warns explicitly: “Migrating back is not supported” [README].
Considering a managed reverse proxy service. Services like Cloudflare Tunnel, Nginx as a managed offering, or paid CDN/proxy layers can run $20–$200+/mo depending on traffic and features. NPMplus on a server you already control costs nothing incremental and puts the CrowdSec intelligence layer, WAF, and certificate management entirely under your control.

CrowdSec economics. CrowdSec itself has a free community tier with shared blocklists, and a paid tier for premium threat intelligence. The free tier alone — which is what the NPMplus compose.yaml sets up — blocks known bad actors from a crowdsourced IP reputation database. Commercial equivalents (Cloudflare WAF, AWS WAF) run $5–$25+/mo just for the WAF layer, before traffic charges [4]. Getting this for $0 with NPMplus is real value for anyone running public-facing services.

Deployment reality check

The compose.yaml-first install path is clean if you know Docker. The official CrowdSec tutorial [4] walks through the full setup including the acquis.d configuration, which is the step most guides skip.

What you actually need:

A Linux server with Docker and docker-compose
x86-64-v2 or arm64 architecture — check with /lib/ld-linux-x86-64.so.2 --help before committing [README]
Ports 80/TCP, 443/TCP, and 443/UDP open and forwarded — the UDP port is new compared to vanilla NPM [4][README]
Port 81/TCP for the admin interface (internal only; don’t expose it publicly) [4]
An ACME email address for Let’s Encrypt registration [4]
A domain with DNS pointing at your server

What can go sideways:

The architecture check is a real gotcha. Plain x86-64 (v1) is explicitly not supported. If you’re running an older VPS or a specific NAS CPU, check before you start [README].

The Cloudflare proxy situation requires attention. NPMplus defaults to not trusting Cloudflare proxy headers. If you’re using Cloudflare in front of your server (orange cloud), you need to set TRUST_CLOUDFLARE=true — but the README explicitly warns to read the associated notes first, because blindly trusting Cloudflare headers has security implications [README].

The certbot DNS plugin changes are a migration landmine. Five plugins were replaced in NPMplus, meaning existing certificates using certbot-dns-he, certbot-dns-dnspod, certbot-dns-online, certbot-dns-powerdns, or certbot-dns-do will not renew automatically — they have to be recreated [README]. If you’re migrating from upstream NPM with any of these providers, plan for this.

MariaDB and PostgreSQL work technically but are unsupported and offer no advantage over SQLite in this context [README]. Use SQLite unless you have a specific reason not to.

The open-appsec WAF integration requires uncommenting additional lines in the compose.yaml and optionally connecting to the open-appsec management portal [5]. It’s not automatic — you opt in deliberately.

Time estimate: A technical user with Docker experience: 30–60 minutes from nothing to a working proxy host with SSL. Adding CrowdSec properly: another 30–45 minutes following the setup guide [4]. For a first-time Docker user: budget 3–5 hours including understanding what you’re doing, not just pasting commands.

Pros and Cons

Pros

Security features that actually matter. CrowdSec, open-appsec WAF, ML-KEM TLS, hardened nginx defaults, HTTPS admin interface — this is meaningful defense-in-depth for anyone with internet-facing services [2][4][5]. Vanilla NPM has none of this.
HTTP/3 / QUIC support. Measurably better performance for remote connections compared to HTTP/2, especially on mobile or unreliable links [2][3]. The deployn.de benchmark [3] confirms real-world throughput improvements.
Drop-in upgrade from NPM. Same GUI, same concepts, same compose.yaml structure. If you know NPM, you know NPMplus [2].
Privacy-conscious defaults. Gravatar fetched server-side, TOTP QR codes generated locally, secure cookies instead of localStorage — small things that add up [README].
GoAccess bundled. Log analytics without a separate stack. You can see who’s hitting your services without shipping logs to a third party [README].
Alpine-based, smaller footprint than upstream’s image [README].
Active maintenance. 2,953 commits, actively tracking upstream changes, and the maintainer is writing tutorials on partner platforms like the CrowdSec blog [4].

Cons

AGPL-3.0, not MIT. The merged profile for this tool incorrectly lists the license as MIT. The README is clear: AGPL-3.0. If you embed this in a commercial product or distribute it, the copyleft terms apply. The upstream NPM is MIT [README].
x86-64-v2 minimum cuts off older hardware. Plain x86-64 (common in older VPSes and some NAS devices) is explicitly not supported [README]. No 32-bit, no armhf. Arm64 works, but the architecture matrix is narrower than upstream.
Single maintainer risk. With ~2k stars and one primary maintainer (ZoeyVid), bus factor is a real concern. Compare to upstream NPM’s larger contributor base or Traefik’s commercial backing. The project is active, but it’s one person’s side project [README][1].
Incompatible migration path. You can migrate from NPM to NPMplus, but you can’t go back without a fresh install. That’s a meaningful commitment [README].
Certbot DNS plugin changes break existing certs. Five providers were swapped out — certs using those won’t auto-renew [README]. Easy to miss in the compatibility notes.
No Route53 DNS challenge support. AWS shops can’t use NPMplus for wildcard cert validation via Route53 [README].
Extra setup complexity vs vanilla NPM. The extra features (CrowdSec, open-appsec, HTTP/3’s UDP port) require deliberate configuration steps. You don’t get security for free — you get the option of security with more setup [4][5].
LXC containers are discouraged. The maintainer explicitly says not to run NPMplus inside an LXC container, pointing you toward KVM or bare Docker on the host [README]. Common home lab setups (Proxmox LXCs) need this caveat on their radar.

Who should use this / who shouldn’t

Use NPMplus if:

You’re already running vanilla Nginx Proxy Manager and want CrowdSec or open-appsec WAF without architecting a separate solution.
You’re starting fresh with a reverse proxy and security isn’t an afterthought.
Your hardware is x86-64-v2 or arm64 and you’re comfortable with Docker Compose.
You want HTTP/3 support without compiling a custom nginx build or switching to Caddy.
You care about the privacy details: no third-party QR code generators, no browser-visible Gravatar requests, no token in localStorage.

Use vanilla Nginx Proxy Manager instead if:

You need MIT licensing for commercial embedding.
You’re running on older x86-64 hardware that doesn’t meet the v2 requirement.
You’re a true beginner who just needs “make my service accessible at a domain name” and doesn’t want to think about WAF configuration.
You’re running in Proxmox LXC containers and don’t want to restructure your setup.

Use Traefik instead if:

You want infrastructure-as-code — all config in files, version-controlled, no web GUI.
You’re running Kubernetes or a Docker Swarm with automatic service discovery.
You need a large plugin ecosystem and commercial support options.

Use Caddy instead if:

You want the absolute simplest configuration (the NPMplus README itself suggests Caddy if you don’t need the web GUI) [README].
You’re comfortable with a Caddyfile and want automatic HTTPS with minimal moving parts.
Performance is the primary driver — Caddy is written in Go and benchmarks well [3].

Use Zoraxy instead if:

You want a modern Go-based alternative to NPM-style proxies that also has a GUI.
The deployn.de benchmark [3] put Zoraxy in the comparison and it handled load well; worth evaluating for new setups.

Alternatives worth considering

Nginx Proxy Manager (upstream) — the base project. MIT licensed, larger community, simpler setup, no HTTP/3 or CrowdSec out of the box. https://github.com/NginxProxyManager/nginx-proxy-manager
Caddy — Go-based, automatic HTTPS, no GUI, extremely clean config syntax. The NPMplus README recommends it for users who don’t need the GUI [README]. https://caddyserver.com
Traefik — the Kubernetes/Docker Swarm native choice. Config-as-code, auto service discovery, large plugin ecosystem, commercial support available. https://traefik.io
Zoraxy — newer Go-based reverse proxy with a GUI, active development, no nginx dependency. Benchmarked directly against NPMplus in deployn.de’s 2025 test [3]. https://github.com/tobychui/zoraxy
HAProxy — battle-tested, extremely high performance, no web GUI (third-party GUIs exist). Enterprise-grade but requires more configuration knowledge.
Nginx itself — if you actually want to learn the tool, not abstract it away. More work, total control.

Bottom line

NPMplus is the right answer to a specific question: “I want Nginx Proxy Manager but with CrowdSec, HTTP/3, and a security posture that doesn’t embarrass me.” It delivers on that promise. The maintainer has made opinionated choices — AGPL-3.0, Alpine base, x86-64-v2 minimum, hardened TLS defaults — that reflect genuine security thinking rather than feature-checklist engineering.

What it isn’t: a beginner’s tool, a SaaS replacement, or a project with the community safety net of Traefik or Caddy. It’s a well-maintained fork run by one person who clearly knows what they’re doing with nginx and security. If your architecture fits the constraints and you’re already in the NPM world, it’s a straightforward upgrade. If you’re starting fresh, compare it honestly against Caddy (simpler) and Traefik (more scalable) before committing.

If standing up any of this is the blocker, upready.dev deploys self-hosted infrastructure for founders who want the security benefits without the setup afternoon.

Sources

Brandon Lee, Home Lab Explorers / Skool — “I finally took a look at Nginx Proxy Manager vs NPMplus” (Sep 2025). https://www.skool.com/homelabexplorers/i-finally-took-a-look-at-nginx-proxy-manager-vs-npmplus
Brandon Lee, Virtualization Howto — “Nginx Proxy Manager vs NPMplus Which One is Better for Your Home Lab?” (Sep 25, 2025). https://www.virtualizationhowto.com/2025/09/nginx-proxy-manager-vs-npmplus-which-one-is-better-for-your-home-lab/
deployn.de — “Reverse Proxy Benchmark 2025: NPM vs. NPM+ (HTTP/3) vs. Zoraxy”. https://deployn.de/en/blog/reverse-proxy-benchmark-2025/
ZoeyVid (guest post), CrowdSec Blog — “Enhancing Web Server Security with NPMplus and CrowdSec”. https://www.crowdsec.net/blog/web-server-security-with-npmplus-and-crowdsec
open-appsec Documentation — “NPMplus integration with open-appsec WAF”. https://docs.openappsec.io/integrations/npmplus

Primary sources:

GitHub repository and README: https://github.com/ZoeyVid/NPMplus (~2k stars, AGPL-3.0, 105 forks, 2,953 commits)
Upstream project: https://github.com/NginxProxyManager/nginx-proxy-manager (MIT license)

Features

Authentication & Access

Two-Factor Authentication

Integrations & APIs

Plugin / Extension System
REST API

Security & Privacy

Audit Logs
Encryption
SSL / TLS / HTTPS

Compare NPMplus

Nginx Proxy Manager vs

NPMplus

Both are networking tools. Nginx Proxy Manager has 0 unique features, NPMplus has 6.

NPMplus vs

Traefik

Both are networking tools. NPMplus has 7 unique features, Traefik has 5.

Related Networking & VPN Tools

View all 99 →

Caddy

71K

A fast, extensible web server with automatic HTTPS — zero-config TLS certificates for every site, built-in reverse proxy, and a simple Caddyfile config format.

networking Apache-2.0

Traefik

62K

Cloud-native application proxy and ingress controller that auto-discovers services and handles TLS certificates, load balancing, and routing with zero manual configuration.

networking MIT